BlackSuit Ransomware Takedown Disables 9 Domains and 4 Servers, Seizes $1M
Published
- Significant milestone: The U.S. DOJ announced a major development in the fight against ransomware with the BlackSuit takedown.
- Disabled infrastructure: Four servers and nine domains essential to the group's operations were dismantled.
- Seized funds: Approximately $1 million in laundered cryptocurrency proceeds was also seized.
An international law enforcement operation targeted the infrastructure of BlackSuit, one of the notorious ransomware groups responsible for persistent attacks on critical infrastructure. BlackSuit is also known as Royal due to the fact that the same Russian threat actor is believed to deploy both these ransomware strains.
Coordinated Disruption and Asset Seizure
This infrastructure seizure neutralized four servers and nine domains essential to the group's operations. Adding to the success, laundered cryptocurrency proceeds, valued at $1,091,453 at the time of seizure, were captured—a pivotal step in disabling the group's financial framework.
The operation stemmed from extensive investigations that traced funds linked to victims’ ransom payments.
The most impactful BlackSuit cyber intrusion is the 2024 attack on CDK Global, which allegedly paid a $25 million ransom to the hackers.
The Royal and BlackSuit ransomware groups have compromised over 450 known entities in the healthcare, education, public safety, energy, and government sectors in the U.S. since 2022.
The dismantling effort, executed on July 24, 2025, was a joint endeavor led by the Department of Homeland Security’s Homeland Security Investigations (HSI), the FBI, the U.S. Secret Service, and international law enforcement agencies from the U.K., Germany, Canada, and more.
Implications for Cybersecurity
The Royal ransomware disruption dealt a critical blow to a cybercriminal enterprise that has targeted industries such as healthcare, government facilities, and critical manufacturing.
Deputy Assistant Director Michael Prado of HSI’s Cyber Crimes Center emphasized the operation’s objective to not just take down individual components but to dismantle the entire ecosystem enabling ransomware attacks.
Looking Ahead
While the cybercrime crackdown is a remarkable achievement, Craig Jones, Chief Security Officer at Ontinue, stated that without arrests, the operators behind BlackSuit can restart operations under a new name.
Meanwhile, security researchers last month observed that the novel Chaos Ransomware group overlaps with BlackSuit. Talos asserts Chaos RaaS could be either a BlackSuit rebrand or run by some of its members.
The impacted sectors “need to be hardening privileged accounts, locking down lateral movement options like PowerShell, and hardening Domain Admin usage patterns,” stated Bugcrowd’s Chief Strategy and Trust Officer, Trey Ford.
In other news, the DOJ seized over $7.74 million in a North Korean crypto laundering crackdown in June.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular